Mobile

Apple’s surprising response to SMS spoofing flaw: Use iMessage instead!

Apple responded this weekend to reports of a vulnerability in the SMS service of its iOS devices, a flaw that lets hackers spoof their identities via text and send you messages asking for private information.

In a statement sent to media outlets yesterday, Apple said it takes security very seriously, but it directs users to use Apple’s own iMessage service  instead of texting. Apple said it is able to verify addresses sent through iMessage, which protects against spoofing.

It’s a convenient statement by Apple, which no doubt would like to boost its own service over the more widespread SMS protocol service. But iMessage can only be used between people on iPhone, iPad, or iPod touch devices with iOS 5.

According to Apple, or at least to those who are reading more into its statement, the spoofing of SMS is a security risk inherent in texting technology and can happen on any phone, not just iOS devices. It’s just that the hacker who demonstrated the spoof last week did so on iOS devices. According to this thinking, Apple may be saying there’s nothing it can do for now to prevent the SMS spoofing, but at least it can direct its users to the safer iMessage service.

However, according to our report by VentureBeat’s Devindra Hardawar, the spoof hacker said that the “reply to” spoof doesn’t affect every phone. The proper implementation should show both the original sender address and the spoofed one.

Here’s Apple’s statement:

Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.


Mobile developer or publisher? VentureBeat is studying mobile app analytics. Fill out our 5-minute survey, and we'll share the data with you.
0 comments